summaryrefslogtreecommitdiff
path: root/auth2.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth2.c')
-rw-r--r--auth2.c45
1 files changed, 27 insertions, 18 deletions
diff --git a/auth2.c b/auth2.c
index 1b21eb2da..41e77efdc 100644
--- a/auth2.c
+++ b/auth2.c
@@ -23,7 +23,7 @@
23 */ 23 */
24 24
25#include "includes.h" 25#include "includes.h"
26RCSID("$OpenBSD: auth2.c,v 1.96 2003/02/06 21:22:43 markus Exp $"); 26RCSID("$OpenBSD: auth2.c,v 1.102 2003/08/26 09:58:43 markus Exp $");
27 27
28#include "ssh2.h" 28#include "ssh2.h"
29#include "xmalloc.h" 29#include "xmalloc.h"
@@ -36,10 +36,14 @@ RCSID("$OpenBSD: auth2.c,v 1.96 2003/02/06 21:22:43 markus Exp $");
36#include "pathnames.h" 36#include "pathnames.h"
37#include "monitor_wrap.h" 37#include "monitor_wrap.h"
38 38
39#ifdef GSSAPI
40#include "ssh-gss.h"
41#endif
42
39/* import */ 43/* import */
40extern ServerOptions options; 44extern ServerOptions options;
41extern u_char *session_id2; 45extern u_char *session_id2;
42extern int session_id2_len; 46extern u_int session_id2_len;
43 47
44Authctxt *x_authctxt = NULL; 48Authctxt *x_authctxt = NULL;
45 49
@@ -50,10 +54,16 @@ extern Authmethod method_pubkey;
50extern Authmethod method_passwd; 54extern Authmethod method_passwd;
51extern Authmethod method_kbdint; 55extern Authmethod method_kbdint;
52extern Authmethod method_hostbased; 56extern Authmethod method_hostbased;
57#ifdef GSSAPI
58extern Authmethod method_gssapi;
59#endif
53 60
54Authmethod *authmethods[] = { 61Authmethod *authmethods[] = {
55 &method_none, 62 &method_none,
56 &method_pubkey, 63 &method_pubkey,
64#ifdef GSSAPI
65 &method_gssapi,
66#endif
57 &method_passwd, 67 &method_passwd,
58 &method_kbdint, 68 &method_kbdint,
59 &method_hostbased, 69 &method_hostbased,
@@ -85,10 +95,6 @@ do_authentication2(void)
85 /* challenge-response is implemented via keyboard interactive */ 95 /* challenge-response is implemented via keyboard interactive */
86 if (options.challenge_response_authentication) 96 if (options.challenge_response_authentication)
87 options.kbd_interactive_authentication = 1; 97 options.kbd_interactive_authentication = 1;
88 if (options.pam_authentication_via_kbd_int)
89 options.kbd_interactive_authentication = 1;
90 if (use_privsep)
91 options.pam_authentication_via_kbd_int = 0;
92 98
93 dispatch_init(&dispatch_protocol_error); 99 dispatch_init(&dispatch_protocol_error);
94 dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); 100 dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
@@ -157,12 +163,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
157 authctxt->valid = 1; 163 authctxt->valid = 1;
158 debug2("input_userauth_request: setting up authctxt for %s", user); 164 debug2("input_userauth_request: setting up authctxt for %s", user);
159#ifdef USE_PAM 165#ifdef USE_PAM
160 PRIVSEP(start_pam(authctxt->pw->pw_name)); 166 if (options.use_pam)
167 PRIVSEP(start_pam(authctxt->pw->pw_name));
161#endif 168#endif
162 } else { 169 } else {
163 log("input_userauth_request: illegal user %s", user); 170 logit("input_userauth_request: illegal user %s", user);
171 authctxt->pw = fakepw();
164#ifdef USE_PAM 172#ifdef USE_PAM
165 PRIVSEP(start_pam("NOUSER")); 173 if (options.use_pam)
174 PRIVSEP(start_pam(user));
166#endif 175#endif
167 } 176 }
168 setproctitle("%s%s", authctxt->pw ? user : "unknown", 177 setproctitle("%s%s", authctxt->pw ? user : "unknown",
@@ -180,6 +189,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
180 } 189 }
181 /* reset state */ 190 /* reset state */
182 auth2_challenge_stop(authctxt); 191 auth2_challenge_stop(authctxt);
192
193#ifdef GSSAPI
194 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
195 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
196#endif
197
183 authctxt->postponed = 0; 198 authctxt->postponed = 0;
184 199
185 /* try to authenticate user */ 200 /* try to authenticate user */
@@ -210,10 +225,9 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
210 authenticated = 0; 225 authenticated = 0;
211 226
212#ifdef USE_PAM 227#ifdef USE_PAM
213 if (!use_privsep && authenticated && authctxt->user && 228 if (options.use_pam && authenticated && !PRIVSEP(do_pam_account()))
214 !do_pam_account(authctxt->user, NULL))
215 authenticated = 0; 229 authenticated = 0;
216#endif /* USE_PAM */ 230#endif
217 231
218#ifdef _UNICOS 232#ifdef _UNICOS
219 if (authenticated && cray_access_denied(authctxt->user)) { 233 if (authenticated && cray_access_denied(authctxt->user)) {
@@ -238,13 +252,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
238 /* now we can break out */ 252 /* now we can break out */
239 authctxt->success = 1; 253 authctxt->success = 1;
240 } else { 254 } else {
241 if (authctxt->failures++ > AUTH_FAIL_MAX) { 255 if (authctxt->failures++ > AUTH_FAIL_MAX)
242 packet_disconnect(AUTH_FAIL_MSG, authctxt->user); 256 packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
243 }
244#ifdef _UNICOS
245 if (strcmp(method, "password") == 0)
246 cray_login_failure(authctxt->user, IA_UDBERR);
247#endif /* _UNICOS */
248 methods = authmethods_get(); 257 methods = authmethods_get();
249 packet_start(SSH2_MSG_USERAUTH_FAILURE); 258 packet_start(SSH2_MSG_USERAUTH_FAILURE);
250 packet_put_cstring(methods); 259 packet_put_cstring(methods);
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-18 05:59:52 +0000